Why you shouldn’t use iCloud Keychain for all your passwords

With the introduction of iOS 15 and the ability to store 2FA tokens in iCloud Keychain, some people have been considering relying on this tool to store all their passwords.

The recent LastPass hack is also making people reconsider their password manager, and I hear many are considering moving to iCloud Keychain.

I personally believe you should not use iCloud Keychain to store all your passwords, and a dedicated password manager is safer, let me explain why.

What is iCloud Keychain?

To put it simply, iCloud Keychain stores your passwords and autofills them when you need to login. It syncs through iCloud and it’s available on iOS, iPadOS, MacOS.

For more details you can check the following Apple support pages:
https://support.apple.com/en-us/HT204085
https://support.apple.com/en-gb/HT202303

Why shouldn’t I use it?

At first sight, iCloud Keychain looks very useful and convenient. It does everything a normal user needs:

• Suggest strong passwords when signing up
• Autofill passwords when logging in
• Can be used to store 2FA tokens
• Shared across devices
• It’s possible to access your passwords and login items by opening it

Sounds great, right?
It does and it’s definitely safer than re-using the same compromised password or writing password in the Notes app or unsecured locations.

But… Let’s look more carefully at the last feature:

It’s possible to access your passwords and login items by opening it

To access your passwords, on iOS you can simply go to Settings → Passwords and after authenticating with TouchID or FaceID or PIN, you can access all your passwords.

Let me highlight how to access it again

after authenticating with TouchID or FaceID or PIN

This means, your phone lock PIN (usually 6 digits) is all it takes to access all your passwords.